Information Security 2023 Spring

Data security course, in English as you asked.

Understand adversarial view on security. Recognize key concepts of security. Be able to safely practice hands-on with security tools.

This course finished in Spring 2023.

Course name and code:Information Security ICI002AS2AE-3001
Timing2023 period 3, early spring, w03-w11
Credits5 cr
ClassesWednesdays 08:15 - 13:45, blended, mandatory participation
Max students30
LanguageEnglish
TypeBlended. Two contact meetings in Pasila, the rest is remote video conference.
Feedback4.6 / 5 Excellent feedback Five star experience *
ServicesMoodle, Jitsi, Laksu
First class2023-01-18 w03 Wed 08:15 Pasila pa3014, physically present with your laptop

* From Data Security course from previous curriculum. This is the first instance of Information Security. I'm giving other security courses, too. Penetration testing (challenging course in Finnish) has reached excellent 5.0 /5, with every participant giving feedback. And Master level (YAMK) Trust to Blockchain has gotten to excellent 4.9 /5.

Agenda

Wednesdays 08:15 to 13:45. Early spring 2023, period p3, weeks w03 to w11.

Two contact meetings, first w03 and last w11. The rest are online video conference in Jitsi. All classes require active participation.

DateTheme
2023-01-18 w03 WedOrganizing. Fundamentals. Practice environments. Contact in Pasila pa3014.
2023-01-25 w04 WedWeb security. Cyber kill chain.
2023-02-01 w05 WedThreath modeling. 9 Miska Kytö, Sulava: My day & zero trust networking.
2023-02-08 w06 WedATT&CK. Cracking hashes.
2023-02-15 w07 WedEncryption.
(w08 is holiday)(no classes on winter holiday)
2023-03-01 w09 WedRecap. Gaillard: Hacking X509 *.
2023-03-08 w10 WedPresentations. Kiran, Zhiqing: Security Data Analysis, Oona; Altti: Using Google dorks to search and detect vulnerabilities; Sakhi, Daria, Sébastien, Ola, Arkadi.
2023-03-15 w11 WedPresentations. Bhabishya, Brenda: Symmetric Encryption; Aikaterini, Dagmawi, Heidi, Oskari, Matthieu, Nicolas. Contact in pa3014.

The themes will be updated during the course, but the dates will stay the same. There will be just two contact meetings, and their dates are already final. So you can safely book these on your calendar.

Goals

After completing this course, you will

  • Understand adversarial view on security
  • Recognize key concepts of security
  • Be able to safely practice hands-on with security tools

Hands-on exercises will emphasize environments fully controlled by you, using free open source software in your possession.

Assessment

  • Active participation in classes
  • Homework (66%)
  • Presentation (33%)

Evaluation of the course is based on totality of the work presented.

Previous courses

This is the first instance of Information Security. But check out my similar course from previous curriculum, Data Security:

Feedback

Thanks already! Your feedback is very important to me. I will read it all (twice+) and make improvements. Please give your feedback to two channels.

1) Free form feedback as a comment on this page

Write your comment on this page.

You can write what ever you want. No need to repeat the questions, but they are here to get you started.

  • Did you learn something? Do you now know something you did not know before the course? (Models, frameworks, ideas, tools?)
  • Did you do something for the first time? (Break web protections with Webgoat, capture traffic, plan attacks? Used some technique or a tool for the first time?)
  • Is this useful? Are these skills useful in companies?
  • How did you like the presentations? Interesting subject? Did you like presenting? Useful information? Actionable?
  • Feelings: did you enjoy the course?
  • How could I improve the course? (I can make almost any change here, if it's important)
  • Would you recommend the course? Have you already recommended it? Who would benefit from the course (a colleague, a fellow student)?

2) Numeric feedback to Haaga-Helia feedback system (Peppi)

Feedback in MyNet (Peppi)

1-worst, 5-best

  • Your active participation in studies
  • Achieving the learning goals
  • The study methods supported learning
  • The study environment supported learning
  • Benefits to your career

Open, you can copy the same answer you gave earlier

  • What promoted your learning?
  • How would you develop the implementation / group of implementations further so that the learning goals could be achieved better?

Your overall assessment of the implementation, 1-worst, 5-best

How likely would you recommend the course to your fellow students? 1-worst, 10-best.

Thank you for your feedback, and thank you for our course!

Optional: Keep up with Linux & security, join Tero's list. (And get invitations to visitors on security)

See you in my future courses!

Homework

Homeworks are done with a computer and reported at the same time. If some task does not require performing tests with a computer, it's specied writing.

Each homework is returned

  • 24 h before start of next lecture
  • you can publish your homework report in any website you like
  • return a link to Laksu
  • cross-evaluate two other homeworks

To save everyone's time, I will remove those from the course who don't return homework.

Github is a convenient place to publish your reports, others are Gitlab and Wordpress.com. I highly recommend publishing your work, it seems to help getting job offers. But if you don't dare or want to publish, you can put your web page behind a password (e.g. in Wordpress.com, same password for all reports), and share this password with your group.

The homeworks are official after they are given in the class. Don't start them before, because they might change.

h1 First steps

Become a hacker, step 0

Start the homework only after you've accepted the rules in course Moodle.

Tips:

  • Why are these tasks just the right level? To prepare you for learning hacker skills in this course.
  • Why are these tasks so hard? => See below, "If you get stuck".
  • Why are these tasks so easy? => Because you've practiced before, good for you. Also do voluntary bonus tasks above for some challenge and development. Still too easy? Contact me for special arrangements, I want you to spend your time efficiently.
  • In "Read and summarize":
    • read first, then summarize
    • summarize key content
      • not just headings
      • don't just describe the article, tell the main things it says
    • add a question, an idea or a comment of your own to each article
  • Yes, you're expected to read the friendly manuals, Google/Duck, and try multiple approaches
  • Refer & link any sources you use
    • Course / the classes
    • Homework assingments
    • Homework reports by other students
    • Any web pages
    • Manuals, Articles, Man pages...
    • Referencing your sources is required
  • When reporting tests on a computer
    • Write while you work
    • Save often
    • Explain why
    • Have some screenshots
    • If some command output is very long, only quote relevant parts (if you want, you can put the long text as an appendix or behind a link)
  • If you get stuck
    • Don't worry: Computers are cranky, that's why they pay hackers well
    • Solve and report all parts you can do
    • Return your partial report in time
    • Google/Duck. That's what the pros do, too. Write down a reference to the sources you used.
    • If you need to look at a walktrough (an exact solution to this homework, task or flag), clearly mark where you needed it.
    • Solve the trouble part as far as you can. Report all approaches taken.
    • Ask about the challenges in the class, likely someone else had the same thing
  • Bandit uses SSH. In Linux, that's 'ssh tero@example.com', and it might also work in new Windowses. For older Windowses, you can also use Putty SSH.
  • Read my (Tero's) articles on how to install Debian & WebGoat before you start
  • To see some example solutions for homeworks, Google/Duck my name + course name, e.g. "Tero Karvinen Penetration Testing" without the quotes.
  • Be safe: in this homework, only attacks you perform are to webgoat running on the localhost of your own computer

h2 Goat

Remember to keep it safe, legal and ethical. Especially if you grasp OWASP 10, you still can't try these to machines you don't own.

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
  • a) Sequel. Solve SQLZoo:
    • 0 SELECT basics
    • 2 SELECT from World, from first subtask to 5 "France, Germany, Italy"
  • b) Injected. Solve WebGoat:
    • A1 Injection (intro)
  • m) Voluntary bonus: Pick your tasks from SQLZoo 1, 3-9.
  • n) Voluntary difficult bonus: WebGoat: SQL Injection (advanced).
  • o) Voluntary difficult bonus: Install a relational database, show CRUD operations using SQL
  • q) Voluntary difficult bonus: Demonstrate aggregate functions (SUM, COUNT) with your own data you created in the previous step.
  • p) Voluntary difficult bonus: Install a practice target for SQL injections, exploit it.
  • r) Voluntary difficult bonus: Demonstrate JOIN with your own database

Tips:

  • Pick a CVE:
    • You can get inspiration from CVETrends or many other CVE sites.
    • Or straight from the horse's mouth: Mitre: CVE and @CVEnew in Twitter.
    • You can check Hacker News, Twitter or general news sites for CVEs that are notorius.
    • If you stumbled upon a super complicated CVE and can't understand what it even means, pick a simpler one.
  • Darknet diaries
    • If you pick an episode that's not the last one, you're more likely to pick an episode that's not the same one everyone else picked.
    • Yes, I know it's great podcast. A good choice to get up to speed with famous security incidents.
    • AntennaPod is convenient Android program for listening podcasts. It's available in F-Droid and Google Play. Of course, there are hundreds if not thousands other programs for podcasts, too.
    • Pick any episode. Check descriptions, and pick one that's likely to be suitable here.
    • What did you learn? Point out threat actors, exploits, vulnerabilities and impact. How could defenders mitigate the attack better? How could the attackers improve their attack?
  • SQLZoo
    • If you've got a lot of experience with databases already and SQLZoo is too easy, you can do the difficult voluntary bonus instead "Install relational database, show..."
    • Yes, I think they really run your queries on database management system
  • WebGoat
    • What kind of quotes did SQL have?
    • If you raise everyone's salaries, are you the richest anymore?
    • The names here are the same as in OWASP 10 2021 and OWASP 10 2017.
    • In injections, it's nice to know:
      • SQL string delimiter (single quote, aphostrophe) "'" (end of user input, start of my hostile injection)
      • SQL comment (double dash) "--" (end of my evil injection, you can ignore the rest, dear database management system)
      • There are many ways to do SQL injection

h3 Attaaack

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
    • € Costa-Gazcón 2021: Practical Threat Intelligence and Data-Driven Threat Hunting Chapter 4: Mapping the Adversary (all but "Testing yourself", which is left as voluntary bonus)
  • y) Write an answer with references (this subtask does not require tests with a computer). Answer in the context of Mitre Att&ck, and pick examples that are different from the chapter in task x.
    • Define tactic and give an example.
    • Define technique and subtechnique, and give an example of each.
    • Define procedure, and give an example of each.
  • a) Webgoat: A3 Sensitive data exposure
    • Insecure Login: 2 Let's try
  • n) Voluntary bonus: "Testing yourself" in Costa-Gazcón: Practical Threat Intelligence and Data-Driven Threat Hunting Chapter 4: Mapping the Adversary
  • m) Voluntary difficult bonus: WebGoat: SQL Injection (advanced).

Tips:

h3 Hash

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
  • a) Install Hashcat. See Karvinen 2022: Cracking Passwords with Hashcat
  • b) Crack this hash: 8eb8e307a6d649bc7fb51443a06a216f
  • c) Compile John the Ripper, Jumbo version. Karvinen 2023: Crack File Password With John.
  • d) Crack a zip file password
  • n) Voluntary: create a password protected file other than ZIP. Crack the password. How many formats can you handle?

Tips:

h4 Uryyb Greb

  • x) Read and summarize (This subtask x does not require tests with a computer. Some bullets per article is enough for your summary, feel free to write more if you like)
    • € Schneier 2015: Applied Cryptography: 10. Using Algorigthms: 10.1, 10.2, 10.3, 10.4 (from start until the start of "Dereferencing Keys" in 10.4)
  • y) Choose a password manager. Explain: (This subtask y does not require tests with a computer if the question can be answered without them)
    • What treaths does it protect against?
    • What information is encrypted, what's not?
    • What's the license? How would you describe license's effects or categorize it?
    • Where is the data stored? If in "the cloud", which country / juristiction / which companies? If on local disk, where?
    • How is the data protected?
  • a) Demonstrate the use of a password manager.
  • b) Encrypt and decrypt a message (you can use any tool you want, gpg is one option)
  • c) Voluntary bonus: send and receive encrypted message over email.
  • d) Voluntary difficult bonus, requries coding skills: Cryptopals (recommended, if you have what it takes).
  • e) Voluntary bonus, easy: try rot13, the military grade top-secret encryption of the top-2 empire of year zero. Could double rot13 provide extra security?

In-class

joe:95cd3fc01819b69d1a4900e6fe3d293c

Adminstrivia

I will keep updating this page during and after the course.